Configure Scan Settings for External Assessment

Authentication Mode

Authentication Mode determines whether the scan runs with or without user authentication. You can select one or both modes to run comprehensive scans.

Unauthenticated

• This mode runs scans without requiring any logged-in user session.

• Scans public-facing pages that don't require login.

• The system won’t utilize any browser session during the scan.

• Ideal for identifying public endpoints, testing vulnerabilities that don’t require authentication, or mapping out public attack surfaces

Authenticated

• In this mode, scans are conducted using logged-in user sessions.

• Scans pages and features that require authentication.

• Uses browser sessions you've configured to access protected areas.

• Ideal for testing authenticated features, role-based access controls, or user-specific functionality.

Browser Sessions

Browser sessions store information (cookies, local storage, session storage) that represents a specific user role or permission level in the application. The scan uses it to behave like a real authenticated user.

Selecting Existing Browser Sessions

1. After selecting Authenticated mode, a Browser Sessions dropdown will appear.

2. Click the dropdown to see all available browser sessions for the selected domain.

3. You can select multiple browser sessions - each will run a separate authenticated assessment.

Import Browser Session

The Import Browser Session feature allows you to create new browser sessions either by recording them live or importing them from a file.

When Authenticated Mode is selected, you’ll see a Browser Session Section with an Import Browser Session button. This opens a modal with two options:

• Record

• Import (Legacy)

Option 1: Record (Recommended)

Opens a browser window on your configured SANDBOX agent where you can manually navigate through the website and record your session. This captures cookies, storage, and browser actions automatically. This also helps Pentest Copilot understand more information about the domain which will improve the quality of the assessment.

Option 2: Import (Legacy)

Allows you to upload a browser session JSON file or paste a browser session that was exported using the Pentest Copilot Browser Session Exporter browser extension.

Validating Browser Session

After a browser session is created, it is essential to validate whether the session can be reliably replicated. This validation also helps identify edge cases where applying the session state may fail.

The guide below outlines the recommended steps to validate browser sessions before initiating any scans.

Rate Limit

Controls how many HTTP requests the scanner makes per second. This helps prevent overwhelming target servers and avoids triggering rate limiting or blocking.

Ignore 404 Check

When enabled, the system will keep webpages that might be 404 (not found) error pages instead of automatically filtering them out.

Default behaviour: By default, the system automatically detects and filters out pages that look like 404 error pages. This helps focus on real, accessible content.

When to enable Ignore 404 Check:

• The site uses custom error pages that accidentally match real pages.

• You are testing a site with unusual routing where many valid pages look similar.

• You want to analyse 404 pages for information disclosure

• The target site has custom 404 pages that might contain useful information

Fail Module on Invalid Session

When enabled, the module will immediately fail if the browser session becomes invalid (expired or logged out) during scanning, without attempting to continue or regenerate the session.

Default Behaviour: By default, if a session becomes invalid, the system may attempt to regenerate the session and continue the assessment.

When to Enable: Enable this option if you want the scan to stop immediately when the browser session is invalid, without regeneration attempts.

Skip Browser Session Validation

When enabled, the system skips validation checks that verify browser sessions are still valid before starting jobs. This can speed up scans but may result in failures if sessions are invalid.

Default Behaviour: By default, the system validates browser sessions before running jobs to ensure they're still active and valid.

When to Enable: Skips pre-run checks that validate the browser session before jobs start.

Force Separate Driver

When enabled, this option runs each test using a separate Chrome browser instance instead of opening multiple tabs within a single browser window.

Default Behavior: By default, Pentest Copilot uses a single Chrome browser and executes tests in parallel by opening multiple tabs within that browser.

When to Enable: Enable this option if the target application cannot reliably maintain session state across multiple tabs for example, when opening the same application in different tabs causes session collisions, forced logouts, overwritten state, or other interference between tests.

Why Use It: Using separate browser instances ensures full isolation between test flows, preventing shared session, cookie, or storage conflicts that may lead to false negatives or unstable scan results.

Custom Headers

Allows you to add custom HTTP headers that will be sent with every request during scanning. This is useful for adding API keys, custom authentication tokens, or other headers required by the target application.

Manual Crawler

Manual Crawler allows you to manually navigate through a website and create trajectories (sequences of actions) that can be tested and replayed. This is useful for creating specific test scenarios or exploring complex user flows.

Attack Vectors

Attack vectors (also called Focus Categories) allow you to specify which types of vulnerabilities to prioritise during scanning. This helps focus the scan on areas most relevant to your security testing goals.

Available Attack Vectors

The available attack vectors depend on your system configuration. Common categories include:

• Authentication Issues

• Authorization Problems

• Input Validation

• SQL Injection

• XSS (Cross-Site Scripting)

• CSRF (Cross-Site Request Forgery)

• File Upload Vulnerabilities

• API Security Issues

• And more...